Client side OTP generation method

ABSTRACT

A client-server security architecture is disclosed that uses a masked grid, a seed, and mutual unlocking techniques to authentication a client device with a server machine using a one-time code (OTC). The client device in the client-server architecture stores a masked grid that is used to unlock an authentication code using a seed. Once mutually unlocked, the client device may generate an OTC to attempt to authenticate the client device with a server machine. The server machine validates that OTC with the OTC stored at the server to confirm they match. Each subsequent access may repeat the aforementioned steps. Moreover, in a multi-device ecosystem, a plurality of client devices may leverage a primary client device to connect with the server machine. For example, one or more subordinate client devices may connect to the primary client device to then tunnel through to the server machine in a secure manner.

TECHNICAL FIELD

Aspects of the disclosure provide effective, efficient, and scalabletechnical solutions that address and overcome the technical problemsassociated with systems and methods that generate one-time passwords(OTPs) at a client-side machine, including multi-device clientenvironments, by using one or more features disclosed herein. Oneembodiment discloses a multi-device validation method and system thatcomprises authentication using a seed and mutual unlocking techniques.

BACKGROUND

An OTP is a password that is valid for only one login session ortransaction, on a computer system or other digital device, Wikipediaexplains. OTPs avoid a number of shortcomings that are associated withtraditional authentication. Some OTP implementations also incorporatetwo-factor authentication by ensuring that the OTP requires access tosomething a person has in their possession, such as a specificsmartphone in combination with a user's PIN. OTPs are notably differentfrom traditional authentication systems in that OTP systems are lessvulnerable to replay attacks. Another benefit of OTP systems is that itpermits a user to re-use the same PIN for multiple systems withoutleaving the user vulnerable across all systems if the password ismaliciously revealed. Moreover, Wikipedia explains that OTPs have beendiscussed as a possible replacement for, as well as enhancer to,traditional passwords.

Nevertheless, there is for room for improvements to OTP systems. Thecombination of features disclosed herein address one or more of risksand/or drawbacks in existing computing solutions to provide a technicalsolution to a technological problem in the industry.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

In one example, apparatuses, method steps, and systems are describedhere for a client-server security architecture that uses a masked grid,a seed, and mutual unlocking techniques to authentication a clientdevice with a server machine using a one-time code (OTC). The clientdevice in the client-server architecture stores a masked grid that isused to unlock an authentication code using a seed. Once mutuallyunlocked, the client device may generate an OTC to attempt toauthenticate the client device with a server machine. The server machinevalidates that OTC with the OTC stored at the server to confirm theymatch. Each subsequent access may repeat the aforementioned steps. Forexample, a system of one or more computers can be configured to performparticular operations or actions by virtue of having software, firmware,hardware, or a combination of them installed on the system that inoperation causes or cause the system to perform the actions. One or morecomputer programs can be configured to perform particular operations oractions by virtue of including instructions that, when executed by dataprocessing apparatus, cause the apparatus to perform the actions.

One general aspect includes a method for enrolling a client machine witha server machine for later authentication with a one-time code (OTC),the method including steps performed by the server machine including:receiving an enrollment request from the client machine; generate aplurality of data values stored in a data grid in memory on the servermachine; generate a seed stored in a data array in memory on the servermachine; transform the data grid into a masked data grid using the seed;hash the seed; and transmit a cypher text to the client machine, wherethe cypher text includes the masked data grid and the hashed seed, wherethe client machine solves the cypher text to authenticate itself withthe server machine. Other embodiments of this aspect includecorresponding computer systems, apparatus, and computer programsrecorded on one or more computer storage devices, each configured toperform the actions of the methods.

Implementations may include one or more of the following features. Themethod further including steps performed by the server machineincluding: receive the OTC from the client machine; validate the OTCusing the data grid, authorization codes, and seed; and after validationof the OTC, grant access to the client machine to a databasecommunicatively coupled to the server machine, where prior to thevalidating the client machine was prohibited from accessing thedatabase. The method where the validating the OTC further includes stepsperformed by the server machine including: un-hashing the OTC receivedfrom the client machine; confirming that the unhashed OTC matches theauthorization codes stored in the memory at the server machine; andestablishing a secure connection for the client machine to access thedatabase at the server machine. The method further including stepsperformed by the server machine including: receive a constructedsolution generated by the client machine using the seed and data valuesin the masked grid; unmask the seed using the constructed solution fromthe client machine and the data grid stored in the memory at the servermachine; transmit an unmasked seed to the client machine; and transmitthe authorization codes to the client machine. The method where theauthorization codes from the server machine are received, by the clientmachine, before constructing the solution for the cypher text; and wherethe constructing, by the client machine, the solution for the cyphertext uses the authorization codes. The method where the masked grid is a2d matrix with data values. The method where the seed includes at leasts0, s1, and s2, and where the authorization codes include x-coordinatesand y-coordinates corresponding to the 2d matrix. The method where thedata grid stored in the memory at the server machine includes a 2dmatrix with the plurality of data values corresponding to x-coordinatesand y-coordinates on the 2d matrix, and where the authorization codesare x-y coordinate pairings corresponding to the 2d matrix.Implementations of the described techniques may include hardware, amethod or process, or computer software on a computer-accessible medium.

One general aspect includes a system for enrolling a client machine witha server machine for later authentication with an OTC, the systemincluding: a server machine including a processor and a memory storingan authentication module. The system also includes a client machineincluding a processor, a memory, and a network communication interface,where the first client machine is communicatively coupled to the servermachine via the network communication interface, where the memory of thefirst client machine further stores an interface to the authenticationmodule; where the authentication module, when executed by the processorof the server machine, causes the server machine to perform variousmethod steps disclosed herein. Another general aspect includes anapparatus for enrolling a client machine for later authentication withan OTC, the apparatus including: a network communication interfacecommunicatively coupling the apparatus with the client machine. Theapparatus also includes a processor; and a memory storingcomputer-executable instructions that, when executed by the processor,cause the apparatus to perform one or more of the method steps disclosedherein. Other embodiments of this aspect include corresponding computersystems, apparatus, and computer programs recorded on one or morecomputer storage devices, each configured to perform the actions of themethods.

In another example, this application discloses a multi-deviceenvironment that may include authentication methods and systems that usea seed and mutual unlocking techniques to validate a secure connection.In the multi-device ecosystem, a plurality of client devices mayleverage a primary client device to connect with the server machine. Forexample, one or more subordinate client devices may connect to theprimary client device to then tunnel through to the server machine in asecure manner. A system of one or more computers can be configured toperform particular operations or actions by virtue of having software,firmware, hardware, or a combination of them installed on the systemthat in operation causes or cause the system to perform the actions. Oneor more computer programs can be configured to perform particularoperations or actions by virtue of including instructions that, whenexecuted by data processing apparatus, cause the apparatus to performthe actions.

One general aspect includes a system for authenticating a plurality ofclient machines with a server machine using one-time codes, the systemincluding: a server machine including a processor and a memory storingan authentication module. The system also includes a first clientmachine including a processor, a memory, and a network communicationinterface, where the first client machine is communicatively coupled tothe server machine via the network communication interface, where thememory of the first client machine further stores an interface to theauthentication module. The system also includes a second and/or thirdclient machines coupled to the first client machine and which is not indirect communication with the server machine. In some embodiments, thesecond machine is configured to authenticate and validate a secureconnection with the server machine through the first client machine byusing a cypher text that the authentication module of the server machineused to validate the first client machine, and where the second clientmachine stores computer-executable instructions that, when executed by aprocessor, cause the system to perform various method steps disclosedherein. The system also includes instruction that store, by the secondclient machine, a second cypher text in memory at the second clientmachine, where the second cypher text includes a second masked grid witha second seed. The system also includes instructions that construct, bythe second client machine, a second solution for the second cypher textusing the second seed and data values in the second masked grid. Thesystem also includes transmits, by the second client machine, theconstructed second solution to the first client machine to unlock thesecond masked grid. The system also includes unmasking the second seed,by the first client machine, using the constructed second solution fromthe second client machine and a second data grid stored in memory at thefirst client machine. The system also includes transmitting, by thefirst client machine, an unmasked second seed and second authorizationcodes to the second client machine. The system also includes dynamicallygenerating, by the second client machine, a second one-time code usingthe second unmasked seed, the second authorization codes, and the secondmasked grid. The system also includes sending, by the second clientmachine, the second OTC to the first client machine, where the secondOTC corresponds to the second authorization codes. The system alsoincludes validating, by the first client machine, the second OTC fromthe second client machine using the second data grid stored in memory atthe first client machine. The system also includes after validation ofthe second OTC by the first client machine, granting, by the firstclient machine, the second client machine access to the server machine.Other embodiments of this aspect include corresponding computer systems,apparatus, and computer programs recorded on one or more computerstorage devices, each configured to perform the actions of the methods.

Implementations may include one or more of the following features. Thesystem where the authentication module is configured to perform a methodincluding steps to: store, through the interface at the first clientmachine, the cypher text in memory at the first client machine, wherethe cypher text includes a masked grid with a seed; construct, by theinterface at the first client machine, a solution for the cypher textusing the seed and data values in the masked grid; transmit, by theinterface at the first client machine, the constructed solution to theserver machine to unlock the masked grid; unmask the seed, by the servermachine, using the constructed solution from the first client machineand a data grid stored in memory at the server machine; transmit, by theserver machine, an unmasked seed to the first client machine; transmit,by the server machine, authorization codes to the first client machine;dynamically generate, by the interface at the first client machine, aOTC using the unmasked seed, the authorization codes, and the maskedgrid; send, by the interface at the first client machine, the OTC to theserver machine, where the OTC corresponds to the authorization codes;validate, by the server machine, the OTC from the first client machineusing the data grid stored in memory at the server machine; and aftervalidation of the OTC by the server machine, grant, by the servermachine, the first client machine access to a database at the servermachine. The system where the authentication module of the servermachine, when executed by the processor of the server machine, causesthe server machine to: retrieve a seed; transmit the seed to the firstclient machine; receive an OTC from the first client machine, where theOTC was dynamically generated at the first client machine; validate theOTC; and upon validation of the OTC, send an indication of grant to thefirst client machine to access a database at the server machine.Implementations of the described techniques may include hardware, amethod or process, or computer software on a computer-accessible medium.

One general aspect includes a method for authenticating a client machinewith a server machine using an OTC, the method including steps to:store, by the client machine, a cypher text in memory at the clientmachine, where the cypher text includes a masked grid with a seed;construct, by the client machine, a solution for the cypher text usingthe seed and data values in the masked grid; transmit, by the clientmachine, the constructed solution to the server machine to unlock themasked grid; unmask the seed, by the server machine, using theconstructed solution from the client machine and a data grid stored inmemory at the server machine; transmit, by the server machine, anunmasked seed to the client machine; transmit, by the server machine,authorization codes to the client machine; dynamically generate, by theclient machine, a one-time code (otc) using the unmasked seed, theauthorization codes, and the masked grid; send, by the client machine,the otc to the server machine, where the otc corresponds to theauthorization codes; validate, by the server machine, the otc from theclient machine using the data grid stored in memory at the servermachine; and after validation of the otc by the server machine, grant,by the server machine, the client machine access to a database at theserver machine. Other embodiments of this aspect include correspondingcomputer systems, apparatus, and computer programs recorded on one ormore computer storage devices, each configured to perform the actions ofthe methods.

Implementations may include one or more of the following features. Themethod further including steps to recycle the cypher text toauthenticate a second client machine, which is not in directcommunication with the server machine, to: store, by the second clientmachine, a second cypher text in memory at the second client machine,where the cypher text includes a second masked grid with a second seed;construct, by the second client machine, a second solution for thesecond cypher text using the second seed and data values in the secondmasked grid; transmit, by the second client machine, the constructedsecond solution to the client machine to unlock the second masked grid;unmask the second seed, by the client machine, using the constructedsecond solution from the second client machine and a second data gridstored in memory at the client machine; transmit, by the client machine,an unmasked second seed to the second client machine; transmit, by theclient machine, second authorization codes to the second client machine;dynamically generate, by the second client machine, a second one-timecode using the second unmasked seed, the second authorization codes, andthe second masked grid; send, by the second client machine, the secondotc to the client machine, where the second otc corresponds to thesecond authorization codes; validate, by the client machine, the secondotc from the second client machine using the second data grid stored inmemory at the client machine; and after validation of the second otc bythe client machine, grant, by the client machine, the second clientmachine access to the server machine. Implementations of the describedtechniques may include hardware, a method or process, or computersoftware on a computer-accessible medium. Another general aspectincludes one or more non-transitory computer-readable media storinginstructions that, when executed by one or more computer processors,causes one or more client machines to perform the method steps disclosedherein. Other embodiments of this aspect include corresponding computersystems, apparatus, and computer programs recorded on one or morecomputer storage devices, each configured to perform the actions of themethods.

These features, along with many others, are discussed in greater detailbelow.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 illustrates a client-server architecture that enrolls a clientdevice with a server machine that generates a masked grid using a seed,in accordance with one or more example embodiments;

FIG. 2 illustrates a client-server architecture that validates a clientdevice with a server machine using a masked grid with a seed, inaccordance with one or more example embodiments;

FIG. 3 includes tables with illustrative masked values corresponding tovarious variables described herein in accordance with one or moreexample embodiments;

FIG. 4 includes tables with illustrative unmasked values correspondingto various variables described herein in accordance with one or moreexample embodiments;

FIG. 5 depicts illustrative computing environments in accordance withone or more example embodiments;

FIG. 6 depicts a computing environment with multiple client devicescommunicating in an authenticated manner using masked grids with seeds,in accordance with one or more example embodiments;

FIG. 7 illustrates one example operating environment in which variousaspects of the disclosure may be implemented in accordance with one ormore aspects described herein.

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized and structuraland functional modifications may be made, without departing from thescope of the present disclosure. It is noted that various connectionsbetween elements are discussed in the following description. It is notedthat these connections are general and, unless specified otherwise, maybe direct or indirect, wired or wireless, and that the specification isnot intended to be limiting in this respect.

DETAILED DESCRIPTION

In one example, apparatuses, method steps, and systems are describedhere for a client-server security architecture that uses a masked grid,a seed, and mutual unlocking techniques to authentication a clientdevice with a server machine using a one-time code (OTC). The clientdevice in the client-server architecture stores a masked grid that isused to unlock an authentication code using a seed. Once mutuallyunlocked, the client device may generate an OTC to attempt toauthenticate the client device with a server machine. The server machinevalidates that OTC with the OTC stored at the server to confirm theymatch. Each subsequent access may repeat the aforementioned steps.

In one example, a multi-device environment may include authenticationmethods and systems that use a seed and mutual unlocking techniques tovalidate a secure connection. In the multi-device ecosystem, a pluralityof client devices may leverage a primary client device to connect withthe server machine. For example, one or more slave/subordinate clientdevices may connect to the master/primary client device to then tunnelthrough to the server machine in a secure manner.

Referring to FIG. 1, the flow diagram 100 illustrates a client-serverarchitecture that enrolls a client device 102 with a server machine 104that generates a masked grid 304 using a seed 306, in accordance withone or more example embodiments disclosed herein. A method isillustrated for enrolling the client machine with the server machine forlater authentication with a one-time code (OTC). In one example, theserver machine 104 performs one or more steps comprising receiving 111an enrollment request from the client machine 102. The client machine102 may generate and transmit an OTC from the client machine to theserver machine 104. The server machine 104 may performs additionalsteps, as illustrated in FIG. 1, comprising generating 112 a pluralityof data values stored in a data grid in memory 505B on the servermachine 104. The server machine may generate a fresh data grid for eachenrollment request received from client devices. Thus, security ismaximized.

Referring to FIG. 1, in addition to the data grid, the server machine104 may also generate 113 a seed 306 stored in a data array in thememory 505B on the server machine 104. An example of the random seeddata array 310 is illustrated in FIG. 3, which is described below.

With the data grid and seed ready, the server machine 104 then, in someexamples, transforms 114 the data grid into a masked data grid using theseed, and then hashes the seed for added security. The masked grid andthe hashed seed may form a cypher text that the server machine 104 cansafely transmit 115 to the client machine 102. In some examples, themasked grid may comprise a two-dimensional (2D) matrix with data values.

The client machine 102 may then attempt to solve the cypher text toauthenticate itself with the server machine 104. In some examples, theclient machine 102 receives authorization codes 308 from the servermachine 104 before constructing the solution for the cypher text. Theclient machine 102 may used the authorization codes to construct thesolution for the cypher text. In yet other examples, the authorizationcodes may comprise x-coordinates and y-coordinates of a 2D matrixcorresponding to the masked grid. And, the seed 306 may comprise atleast values S0, S1, and S2, as illustrated in FIG. 3. For example, thedata grid 304 stored in the memory at the server machine 104 maycomprises a plurality of data values corresponding to x-coordinates andy-coordinates, and the authorization codes are x-y coordinate pairingscorresponding to the values stored in the data grid 304. In other words,an authorization code of B0 corresponds to the value “84” in table 302,which corresponds to a masked value comprising seed (e.g., S0, S1, S2,and so on) values and/or static values combined in an arithmeticoperation.

Like the client machine 102, the server machine 104 may be programmed tovalidate the OTC using the data grid 302, authorization codes 308, andseed 306 stored on the server machine 104. For example, the servermachine 104 may receive a constructed solution generated by the clientmachine 102 using the seed and data values in the masked grid. Then, theserver machine 104 may unmask the seed using the constructed solutionfrom the client machine 102 and the data grid stored in the memory atthe server machine. Finally, the server machine 104 may transmit anunmasked seed and the authorization codes 208 to the client machine 102.Upon receipt, the client machine 102 may process and compare thereceived values with the values it stores in its memory. When the valuesmatch, the authentication process is successful. After validation of theOTC, the client machine 102 may be granted access to a database 106communicatively coupled to the server machine 104. Prior to validation,the client machine 102 may have been prohibited from accessing thedatabase 106. In some examples, the server machine 104 may, aftervalidating the OTC, then un-hash the OTC received from the clientmachine 102, confirm that the unhashed OTC matches the authorizationcodes stored in the memory at the server machine; and then establish asecure connection for the client machine 102 to access a secure database106.

FIG. 2 illustrates a client-server architecture that validates a clientdevice 102 with a server machine 104 using a masked grid with a seed, asillustrated in FIG. 3. Referring to FIG. 3, the data tables and valuesillustrated therein are used in a client-server environment to, amongother things, authenticate a client machine with a server machine usinga one-time code (OTC), as illustrated in FIG. 2.

The steps performed may include, but are not limited to: storing, by theclient machine 102, a cypher text in memory at the client machine. Thecypher text may, in some examples, include a masked grid with a seed.FIG. 3 illustrates a grid of data that may be used with masking and akey to authenticate a client device 102 with a server machine 104 inaccordance with one or more example embodiments disclosed herein. Theclient machine 102 may construct, in some examples, a solution for thecypher text using the seed and data values in the masked grid. Theclient machine 102 may then transmit the constructed solution 304 to theserver machine 104 to unlock the masked grid. In some examples, themasked grid 304 may be a 2D matrix with data values, and where the seedincludes at least S0, S1, and S2. Table 304 shows cells with valuescalculated with variables S0 to S8, that together total a value, such asa numeric value.

At the server machine 104, upon receipt of the constructed solution 304,the server machine may unlock the masked grid by, inter alia,identifying portions of the constructed solution that reference S0 andcalculating a value of S0 using the identified portions andcorresponding data values stored in the data grid. The server machinemay confirm that the calculated value of S0 matches the value of S0previously stored (e.g., table 310) in memory at the server machine. Ifthe values match, then the step has passed authentication and the servermachine 104 may transmit the unmasked seed to the client machine 102. Insome example, the unmasked seed may include the stored value of S0.

In response, the server machine 104 may unmask the seed using both theconstructed solution from the client machine 102 and a data grid 302stored in memory at the server machine. Then, the server machine 104 maytransmit an unmasked seed 306 to the client machine 102. The servermachine 104 may also transmit authorization codes 308 to the clientmachine 102. In some examples, the authorization codes may includex-coordinates and y-coordinates corresponding to a two-dimensional (2D)matrix. The 2D matrix may correspond to a masked grid 304 with datavalues. In some examples, the data grid stored in the memory at theserver machine may include a 2D matrix with data values corresponding tox-coordinates and y-coordinates on the 2D matrix, and where theauthorization codes are x-y coordinate pairings corresponding to the 2Dmatrix. For example, the authorization codes (references) may be A4, B0,and others. Meanwhile, the data grid 302 stored at the server machine104 may include a value of “89” at the coordinates of column A, row 4;and a value of “84” at column B, row 0. Therefore, the valuescorresponding to the authorization codes may only be determined once theclient-server have been authenticated.

In one example, in response to the aforementioned steps, the clientmachine 102 may dynamically generate a one-time code (OTC) using one ormore of the unmasked seed, the authorization codes, and/or the maskedgrid. Then, the client machine 102 may send the OTC to the servermachine 104, where the OTC corresponds to the authorization codes. Insome examples, the client machine 102 may hash the OTC before sending tothe server machine 104. The client machines 102 may postponeconstructing the solution for the cypher text until after theauthorization codes are received from the server machine 104. Because,in some examples, the client machine 102 uses the authorization codesfor constructing the solution for the cypher text. In other example, inaddition to hashing the OTC before sending to the server machine 104,the client machine 102 may decrypt the authorization codes received fromthe server machine.

In response to one or more of the aforementioned steps, the servermachine 104 validates the OTC received from the client machine 102 usingthe data grid 302 stored in memory at the server machine. Aftervalidation of the OTC, the server machine may grant the client machine102 access to a database 106 communicatively coupled to and/orimplemented inside the server machine 104. The database 106 may storedata that only authorized client machines may be provided with access.In some example, the validating the OTC steps may include steps, by theserver machine 104, to un-hash the OTC received from the client machine102, and confirm that the unhashed OTC matches the authorization codesstored in the memory at the server machine. If it does match, the servermachine 104 may authorize the client machine to establish a secureconnection to access the aforementioned database 106 at the servermachine. Although the tables in FIG. 3 are shown with the client machine102 having stored in its memory a masked version 304 of the data grid,in some examples, the data grid may be stored unmasked.

FIG. 4 illustrates a grid of data that may be used with a client machineto generate a one-time code (OTC), in accordance with one or moreexample embodiments disclosed herein. The one-time code (OTC) may bedynamically generated using an unmasked seed, authorization codes,and/or a masked grid. In some examples, all three items may be used togenerate the OTC, but in other examples, all three items may not benecessary. For example, data grid 402 is stored on the client machine102 in an unmasked format. Meanwhile, the reference may includeauthorization codes that are encrypted when transmitted by the clientmachine 102 to the server machine 104. Meanwhile, the OTC may also, insome examples, be hashed. As a result, the table 308 in FIG. 3 may besimilar to the reference array table 404 and OTC 406 in FIG. 4. At leastone benefit of storing in an unmasked format is that less computingpower is necessary to unlock than a masked data grid.

Regarding FIG. 5, one aspect of the disclosure illustrates a system forauthenticating a plurality of client machines 501 with a server machine505 using one-time codes, and the system includes at least a servermachine, a first client machine, a second client machine, and a thirdclient machine. The server machine 505 includes a processor 505A and amemory 505B storing an authentication module (not illustrated in FIG.5). The first client machine 501 includes a processor, a memory, and anetwork communication interface. The memory of the first client machinemay store an interface to the authentication module such that thethrough the interface, the client machine operates in coordination withthe authentication module in the server machine—for example, as in aclient component and server component in a client-server architecture.Of course, in other embodiments, the interface at the first clientmachine might not be a thin interface, but rather a duplicate of theauthentication module at the server machine.

Referring to FIG. 5, the first client machine is communicatively coupledto the server machine via the network communication interface and anetwork 507. As described with respect to FIG. 3, the server machine 505and first client machine 501 may already have been authenticated with aclient-server security architecture that uses a masked grid, a seed,and/or mutual unlocking techniques. For example, the first clientmachine may store a cypher text in memory that includes a masked gridwith a seed, and then construct and transmit a solution for the cyphertext to a server machine 505 to unlock the masked grid. The first clientmachine 501 may perform additional steps to authenticate and validate asecure connection with the server machine 505, as explained with respectto FIG. 3. For example, the authentication module, when executed by theprocessor 505A of the server machine 505, may causes the server machineto retrieve and transmit a seed to the first client machine 501, and inresponse receive a dynamically-generated OTC from the first clientmachine; then, the processor 505A may successfully validate the OTC andsend an indication of grant to the first client machine to access adatabase and/or other resources at the server machine 505.

Therefore, with the first client machine 501 already authenticated withthe server machine 505, the disclosure contemplates that the circle oftrust may be extended to authenticate additional client machines byrecycling aspects of the masked grid, seed, and mutual unlockingtechniques used between the server machine and the first client machine.For example, a second client machine may be coupled to the first clientmachine, as illustrated in FIG. 5. In contrast to the first clientmachine, the second client machine might not be in direct communicationwith the server machine. Rather, as explained herein, the second clientmachine 501 is configured to authenticate and validate a secureconnection with the server machine 505 through the first client machineby using a cypher text that the authentication module of the servermachine used to validate the first client machine 501.

Furthermore, an optional third client machine may be coupled to thesecond client machine. The third client machine may or may not bedirectly connectable to the server machine 505 via a network 507. Insome examples, the third client machine 501 may communicate through thesecond client machine to the first client machine to the server machine505. In other examples, the third client machine may communicatedirectly through the network 507 to the server machine 505. Additionalclient machines may be connected to, either directly or indirectly, withthe client machines 501 in accordance with various aspect of thedisclosure. Other embodiments may include corresponding computersystems, apparatus, and computer programs recorded on one or morecomputer storage devices, each configured to perform the actions of themethods described herein.

Regarding the second client machine 501 in FIG. 5, the second clientmachine may store computer-executable instructions that, when executedby a processor, cause the system 500 to perform one or more steps of amethod for authenticating the plurality of client machines with a servermachine using one-time codes (OTCs). Implementations of the describedtechniques may include hardware, a method or process, or computersoftware on a computer-accessible medium. For example, the second clientmachine 501 may store a second cypher text in memory at the secondclient machine. The second cypher text may include a second masked gridwith a second seed. The second client machine 501 may construct asolution for the second cypher text using the second seed and datavalues in the second masked grid, and then transmit the constructedsecond solution to the first client machine to unlock the second maskedgrid.

In response, the first client machine 501 may unmask the second seedusing the constructed second solution from the second client machine anda second data grid stored in memory at the first client machine. Andthen transmit, by the first client machine, the unmasked second seed tothe second client machine. The first client machine may also transmit asecond authorization codes to the second client machine. With the twomachines working to authenticate their communications channel, thesecond client machine may dynamically generate a second one-time codeusing the second unmasked seed, the second authorization codes, and thesecond masked grid. And then send the second OTC, which corresponds tothe second authorization codes, to the first client machine.

Finally, the first client machine validates the second OTC from thesecond client machine using the second data grid stored in memory at thefirst client machine. After validation of the second OTC by the firstclient machine, the first client machine 501 grants the second clientmachine access to the server machine 505 and its coupled resources.

FIG. 6 depicts illustrative interactions between multiple clientmachines 604, 608, 6010 validating with a master client device 604 and aserver machine (not shown) using a masked grid with a seed, inaccordance with one or more example embodiments. The configuration,implementation, and interactions of the master client device 604 withthe server machine are similar to the steps and components describedwith respect to FIG. 3 and FIG. 5; for example, the master client device604 may already have been authenticated with a server machine. Themaster client device 604 may store a cypher text in memory that includesa masked grid with a seed, and then construct and transmit a solutionfor the cypher text to a server machine to unlock the masked grid. Themaster client device 604 may perform additional steps to authenticateand validate a secure connection with the server machine, as explainedwith respect to FIG. 3.

Furthermore, the master client device 604 in FIG. 6 further interactswith one or more additional client machines 608, 610. The plurality ofclient machines 608, 610 may be embodied with a processor, memory, andcommunications interface similar to client machine 604. Alternatively,the plurality of client machines 608, 610 may be a smartwatch, anaugmented reality (AR) headgear, and/or other user electronic devices.

To further efficiencies and improve security, the master client device604 may recycle aspects of the cypher text to authenticate a secondclient machine, which might not have direct communication with theserver machine. Referring to the masked grid stored at the (master)first client device 604 in FIG. 6, the first client device further maskthe masked grid using a second seed. As explained with respect to FIG.3, the master seed 602 may be provided by a server machine to a firstclient machine to authenticate the server-client communication.Meanwhile, with respect to FIG. 6, the first client machine 604 mayauthenticate with a second client machine 608 by generating an arraywith values corresponding to a seed. In one example, this array storinga seed may be a predetermined row, column, or other pattern of cells inthe masked grid stored at the first client machine. For example, theseed may comprise values A0, B0, C0, D0, and E0 from the maskedgrid—this second seed is different from the master/initial seed sentfrom the server machine. In some examples, to reduce additionalcomputations, the second seed may be identical to the master seed at thecompromise of added security.

Meanwhile, the second client machine may store in its memory the secondcypher text, which includes a second masked grid with the second seed.As the masked grid at client machine 608 illustrates, the masked gridmay comprise static values and/or values calculated with the secondseed. Client machine 608 may store a masked grid with cell F0 equal to“E0+4”; HO equal to “E0+7”; F4 equal to “B0+8”; and J4 equal to “E0+6”.As such, without the actual values of the second seed (e.g., E0, B0, andothers), the second client machine 608 is unable to authenticate andvalidate with the first client machine 604. As indicated in thepreceding examples, the second masked grid with the second seed may be a2-dimensional (2D) matrix with second data values and the second seed.The second seed may include at least variables A0, B0, and C0, whichcorrespond to x-coordinate and y-coordinates in the masked gridformatted as a 2D matrix. The second authorization codes (e.g.,references) includes these variables. The second client machine 608 mayconstruct and transmit a solution for the second cypher text using thesecond seed and data values in the second masked grid. The secondsolution may be transmitted to the first client machine 604 to unlockthe second masked grid.

In some examples, the steps performed may further includes a step tounmask the second seed, by the first client machine 604, using theconstructed second solution from the second client machine 608 and asecond data grid stored in memory at the client machine. The unlockingof the second masked grid may include steps, by the client machine, toidentify portions of the constructed second solution that reference A0,and calculate a value of A0 using the identified portions andcorresponding data values stored in the second data grid. Then, theclient machine confirms that the calculated value of A0 matches a storedvalue of A0 in memory at the client machine. When the values match, theclient device has been validated, and it is safe to transmit the secondunmasked seed, which includes the stored value of A0, to the secondclient machine. The steps performed may further include transmitting, bythe client machine, an unmasked second seed to the second clientmachine, and transmitting, by the client machine, second authorizationcodes (e.g., references) to the second client machine.

The steps of the method performed by the second client machine 608 mayfurther include dynamically generating a second one-time code (OTC) 606using the second unmasked seed, the second authorization codes, and/orthe second masked grid. For example, the OTC 606 may be an array of aplurality of cells from the second masked grid—e.g., F1, G1, H2, I0, J4.The second client machine 608 may be able to identify the values of theOTC 606 only once it successfully authenticates with the master clientmachine 604 and determines the actual values of each cell in the 2Dmatrix corresponding to the second masked grid. In some examples, allthree items—second unmasked seed, the second authorization codes, andthe second masked grid—may be used to generate the OTC 606, but in otherexamples, all three items may not be necessary. Then the second clientmachine 608 may transmit the new OTC to the client machine 604. Themethod may include step to validate, by the client machine 604, thesecond OTC from the second client machine 608 using the second data gridstored in memory at the client machine. After the client machine 604validates the second OTC, the client machine 604 may grant the secondclient machine 608 access to the server machine. This authorization mayoccur, in some examples, by the client machine 604 acting as a conduitto tunnel communication from the second client machine 604 to itsendpoint at the server machine. The second client machine 608 mayencrypt, in some examples, the confidential data content of itscommunication end-to-end with the server machine. In other examples, thecircle of trust created between the server machine and the first clientmachine 604 may be extended to the second client machine 608, thus noadded security is desired for communications between these componentsover the authenticated communication channels.

In some examples, the method may further include steps to hash, by thesecond client machine, the second OTC before sending to the clientmachine. Moreover, in some examples, the second client machine mayreceive the second authorization codes from the client machine, and thendecryption is performed on the second authorization codes beforeconstructing the second solution for the second cypher text. In otherwords, the constructing, by the second client machine, of the secondsolution for the second cypher text may use the second authorizationcodes.

While FIG. 6 illustrates three client machines 604, 608, 610, thedisclosure is not so limited. A masked grid and seed may be used for anynumber of client machines communicatively coupled to the master clientmachine 604 and/or daisy-chained to other client machines 608 in thecomputing environment. In each instance, the OTC 606 may be generatedusing a plurality of values discoverable only after unmasking/unlockinga masked grid and seed at the client machine. The disclosure is notlimited to the specific combinations illustrated in FIG. 6, but ratheris amenable to any combination of seed variable and/or static valuecombinations. For example, a cell in the masked grid may be multipleseeds combined with one or more arithmetic operations and static integervalues.

FIG. 7 depicts an illustrative operating environment in which variousaspects of the present disclosure may be implemented in accordance withone or more example embodiments. Computing system environment 800 may beused according to one or more illustrative embodiments. Computing systemenvironment 800 is only one example of a suitable computing environmentand is not intended to suggest any limitation as to the scope of use orfunctionality contained in the disclosure. Computing system environment800 should not be interpreted as having any dependency or requirementrelating to any one or combination of components shown in illustrativecomputing system environment 800.

Computing system environment 800 may include authentication computingdevice 801 having processor 803 for controlling overall operation ofauthentication computing device 801 and its associated components,including random access memory (RAM) 805, read-only memory (ROM) 807,communications module 809, and memory 815. Authentication computingdevice 801 may include a variety of computer readable media. Computerreadable media may be any available media that may be accessed byauthentication computing device 801, may be non-transitory, and mayinclude volatile and nonvolatile, removable and non-removable mediaimplemented in any method or technology for storage of information suchas computer-readable instructions, object code, data structures, programmodules, or other data. Examples of computer readable media may includeRAM, ROM, Electronically Erasable Programmable Read-Only Memory(EEPROM), flash memory or other memory technology, Compact DiskRead-Only Memory (CD-ROM), Digital Versatile Disk (DVD) or other opticaldisk storage, magnetic cassettes, magnetic tape, magnetic disk storageor other magnetic storage devices, or any other medium that can be usedto store the desired information and that can be accessed byauthentication computing device 801.

Although not required, various aspects described herein may be embodiedas a method, a data transfer system, or as a computer-readable mediumstoring computer-executable instructions. For example, acomputer-readable medium storing instructions to cause a processor toperform steps of a method in accordance with aspects of the disclosedembodiments is contemplated. For example, aspects of method stepsdisclosed herein may be executed on a processor on authenticationcomputing device 801. Such a processor may execute computer-executableinstructions stored on a computer-readable medium.

Software may be stored within memory 815 and/or storage to provideinstructions to processor 803 for enabling authentication computingdevice 801 to perform various functions as discussed herein. Forexample, memory 815 may store software used by authentication computingdevice 801, such as operating system 817, application programs 819, andassociated database 821. Also, some or all of the computer executableinstructions for authentication computing device 801 may be embodied inhardware or firmware. Although not shown, RAM 805 may include one ormore applications representing the application data stored in RAM 805while authentication computing device 801 is on and correspondingsoftware applications (e.g., software tasks) are running onauthentication computing device 801.

Communications module 809 may include a microphone, keypad, touchscreen, and/or stylus through which a user of authentication computingdevice 801 may provide input, and may also include one or more of aspeaker for providing audio output and a video display device forproviding textual, audiovisual and/or graphical output. Computing systemenvironment 800 may also include optical scanners (not shown).

Authentication computing device 801 may operate in a networkedenvironment supporting connections to one or more remote computingdevices, such as computing devices 841 and 851. Computing devices 841and 851 may be personal computing devices or servers that include any orall of the elements described above relative to authentication computingdevice 801.

The network connections depicted in FIG. 7 may include Local AreaNetwork (LAN) 825 and Wide Area Network (WAN) 829, as well as othernetworks. When used in a LAN networking environment, authenticationcomputing device 801 may be connected to LAN 825 through a networkinterface or adapter in communications module 809. When used in a WANnetworking environment, authentication computing device 801 may includea modem in communications module 809 or other means for establishingcommunications over WAN 829, such as network 831 (e.g., public network,private network, Internet, intranet, and the like). The networkconnections shown are illustrative and other means of establishing acommunications link between the computing devices may be used. Variouswell-known protocols such as Transmission Control Protocol/InternetProtocol (TCP/IP), Ethernet, File Transfer Protocol (FTP), HypertextTransfer Protocol (HTTP) and the like may be used, and the system can beoperated in a client-server configuration to permit a user to retrieveweb pages from a web-based server.

The disclosure is operational with numerous other computing systemenvironments or configurations. Examples of computing systems,environments, and/or configurations that may be suitable for use withthe disclosed embodiments include, but are not limited to, personalcomputers (PCs), server computers, hand-held or laptop devices, smartphones, multiprocessor systems, microprocessor-based systems, set topboxes, programmable consumer electronics, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and the like that are configured toperform the functions described herein.

One or more aspects of the disclosure may be embodied in computer-usabledata or computer-executable instructions, such as in one or more programmodules, executed by one or more computers or other devices to performthe operations described herein. Generally, program modules includeroutines, programs, objects, components, data structures, and the likethat perform particular tasks or implement particular abstract datatypes when executed by one or more processors in a computer or otherdata processing device. The computer-executable instructions may bestored as computer-readable instructions on a computer-readable mediumsuch as a hard disk, optical disk, removable storage media, solid-statememory, RAM, and the like. The functionality of the program modules maybe combined or distributed as desired in various embodiments. Inaddition, the functionality may be embodied in whole or in part infirmware or hardware equivalents, such as integrated circuits,application-specific integrated circuits (ASICs), field programmablegate arrays (FPGA), and the like. Particular data structures may be usedto more effectively implement one or more aspects of the disclosure, andsuch data structures are contemplated to be within the scope of computerexecutable instructions and computer-usable data described herein.

Various aspects described herein may be embodied as a method, anapparatus, or as one or more computer-readable media storingcomputer-executable instructions. Accordingly, those aspects may takethe form of an entirely hardware embodiment, an entirely softwareembodiment, an entirely firmware embodiment, or an embodiment combiningsoftware, hardware, and firmware aspects in any combination. Inaddition, various signals representing data or events as describedherein may be transferred between a source and a destination in the formof light or electromagnetic waves traveling through signal-conductingmedia such as metal wires, optical fibers, or wireless transmissionmedia (e.g., air or space). In general, the one or morecomputer-readable media may be and/or include one or more non-transitorycomputer-readable media.

As described herein, the various methods and acts may be operativeacross one or more computing servers and one or more networks. Thefunctionality may be distributed in any manner, or may be located in asingle computing device (e.g., a server, a client computer, and thelike). For example, in alternative embodiments, one or more of thecomputing platforms discussed above may be combined into a singlecomputing platform, and the various functions of each computing platformmay be performed by the single computing platform. In such arrangements,any and/or all of the above-discussed communications between computingplatforms may correspond to data being accessed, moved, modified,updated, and/or otherwise used by the single computing platform.Additionally or alternatively, one or more of the computing platformsdiscussed above may be implemented in one or more virtual machines thatare provided by one or more physical computing devices. In sucharrangements, the various functions of each computing platform may beperformed by the one or more virtual machines, and any and/or all of theabove-discussed communications between computing platforms maycorrespond to data being accessed, moved, modified, updated, and/orotherwise used by the one or more virtual machines.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. Numerous other embodiments, modifications, andvariations within the scope and spirit of the appended claims will occurto persons of ordinary skill in the art from a review of thisdisclosure. For example, one or more of the steps depicted in theillustrative figures may be performed in other than the recited order,and one or more depicted steps may be optional in accordance withaspects of the disclosure. The use of one-time password (OTP) andone-time code (OTC) is interchangeable in the disclosure. OTP is notlimited to traditional text passwords used by humans; rather, OTP is thesame as OTC in that the password may be any code usable by a humanand/or machine.

We claim:
 1. A method for enrolling a client machine with a servermachine for later authentication with a one-time code (OTC), the methodcomprising steps performed by the server machine to: receive anenrollment request from the client machine; generate a plurality of datavalues and store the plurality of data values in a data grid in memoryon the server machine; generate a seed and store the seed in a dataarray in memory on the server machine; transform the data grid into amasked data grid using the seed; hash the seed; transmit a cypher textto the client machine, wherein the cypher text comprises the masked datagrid and the hashed seed, wherein the client machine solves the cyphertext to authenticate itself with the server machine; and validate theOTC received from the client machine using the data grid to grant theclient machine an access to the server machine.
 2. The method of claim1, further including steps performed by the server machine to: receivethe OTC from the client machine; validate the OTC using the data grid,authorization codes, and the seed; and after validation of the OTC,grant access to the client machine to a database communicatively coupledto the server machine, wherein prior to the validating the clientmachine was prohibited from accessing the database.
 3. The method ofclaim 1, further including steps performed by the server machine to:receive a constructed solution generated by the client machine using theseed and data values in the masked data grid; unmask the seed using theconstructed solution from the client machine and the data grid stored inthe memory at the server machine; transmit an unmasked seed to theclient machine; and transmit authorization codes to the client machine.4. The method of claim 3, wherein the authorization codes from theserver machine are received, by the client machine, before constructingthe solution for the cypher text; and wherein the constructing, by theclient machine, the solution for the cypher text uses the authorizationcodes.
 5. The method of claim 3, wherein the masked data grid is atwo-dimensional (2D) matrix with data values.
 6. The method of claim 5,wherein the seed comprises at least values S0, S1, and S2, and whereinthe authorization codes comprise x-coordinates and y-coordinatescorresponding to the 2D matrix.
 7. The method of claim 3, wherein thedata grid stored in the memory at the server machine comprises atwo-dimensional (2D) matrix with the plurality of data valuescorresponding to x-coordinates and y-coordinates on the 2D matrix, andwherein the authorization codes are x-y coordinate pairingscorresponding to the 2D matrix.
 8. The method of claim 2, wherein thevalidating the OTC further includes steps performed by the servermachine comprising: un-hashing the OTC received from the client machine;confirming that the unhashed OTC matches the authorization codes storedin the memory at the server machine; and establishing a secureconnection for the client machine to access the database at the servermachine.
 9. A system for enrolling a client machine with a servermachine for later authentication with a one-time code (OTC), the systemcomprising: a server machine comprising a processor and a memory storingan authentication module; and a client machine comprising a processor, amemory, and a network communication interface, wherein the clientmachine is communicatively coupled to the server machine via the networkcommunication interface, wherein the memory of the client machinefurther stores an interface to the authentication module; wherein theauthentication module, when executed by the processor of the servermachine, causes the server machine to: receive an enrollment requestfrom the client machine; generate a plurality of data values and storethe plurality of data values in a data grid in the memory on the servermachine; generate a seed and store the seed in a data array in thememory on the server machine, wherein the seed comprises at least valuesS0, S1, and S2; transform the data grid into a masked data grid usingthe seed, wherein the masked data grid is a 2D matrix with the pluralityof data values; transmit a cypher text to the client machine, whereinthe cypher text comprises the masked data grid and the seed, wherein theclient machine solves the cypher text to authenticate itself with theserver machine; and validate the OTC received from the client machineusing the data grid to grant the client machine an access to the servermachine.
 10. The system of claim 9, wherein the authentication module,when executed by the processor of the server machine, causes the servermachine to: receive the OTC from the client machine; validate the OTCusing the data grid, authorization codes, and the seed; and aftervalidation of the OTC, grant access to the client machine to a databasecommunicatively coupled to the server machine, wherein prior to thevalidating the client machine was prohibited from accessing thedatabase.
 11. The system of claim 9, wherein the memory of the servermachine further stores computer-executable instructions that, whenexecuted by the processor of the server machine, causes the servermachine to: receive a constructed solution generated by the clientmachine using the seed and data values in the masked data grid; unmaskthe seed using the constructed solution from the client machine and thedata grid stored in the memory at the server machine; transmit anunmasked seed to the client machine; and transmit authorization codes tothe client machine, wherein the authorization codes from the servermachine are received, by the client machine, before constructing thesolution for the cypher text; and wherein the constructing, by theclient machine, the solution for the cypher text uses the authorizationcodes.
 12. The system of claim 11, wherein the masked data grid is atwo-dimensional (2D) matrix with data values, and wherein the seedcomprises at least the values S0, S1, and S2, and wherein theauthorization codes comprise x-coordinates and y-coordinatescorresponding to the 2D matrix.
 13. The system of claim 11, wherein thedata grid stored in the memory at the server machine comprises atwo-dimensional (2D) matrix with the plurality of data valuescorresponding to x-coordinates and y-coordinates on the 2D matrix, andwherein the authorization codes are x-y coordinate pairingscorresponding to the 2D matrix.
 14. The system of claim 10, wherein thevalidating the OTC further includes steps performed by the servermachine comprising: un-hashing the OTC received from the client machine;confirming that the unhashed OTC matches the authorization codes storedin the memory at the server machine; and establishing a secureconnection for the client machine to access the database at the servermachine.
 15. An apparatus for enrolling a client machine for laterauthentication with a onetime code (OTC), the apparatus comprising: anetwork communication interface communicatively coupling the apparatuswith the client machine; a processor; and a memory storingcomputer-executable instructions that, when executed by the processor,cause the apparatus to: process an enrollment request received from theclient machine; generate a plurality of data values and store theplurality of data values in a data grid in the memory; generate a seedand store the seed in a data array in the memory, wherein the seedcomprises at least values S0, S1, and S2; transform the data grid into amasked data grid using the seed, wherein the masked data grid is a 2Dmatrix with the plurality of data values; transmit a cypher text to theclient machine over the network communication interface, wherein thecypher text comprises the masked data grid and the seed, wherein theclient machine solves the cypher text to authenticate itself with theapparatus; and validate the OTC received from the client machine usingthe data grid to grant the client machine an access to the apparatus.16. The apparatus of claim 15, wherein the memory further storescomputer-executable instructions that, when executed by the processor,causes the apparatus to: receive the OTC from the client machine;validate the OTC using the data grid, authorization codes, and the seed;and after validation of the OTC, grant access to the client machine to adatabase communicatively coupled to the apparatus, wherein prior to thevalidating the client machine was prohibited from accessing thedatabase.
 17. The apparatus of claim 15, wherein the memory furtherstores computer-executable instructions that, when executed by theprocessor, causes the apparatus to: receive a constructed solutiongenerated by the client machine using the seed and data values in themasked data grid; unmask the seed using the constructed solution fromthe client machine and the data grid stored in the memory; transmit anunmasked seed to the client machine; and transmit authorization codes tothe client machine, wherein the authorization codes are received, by theclient machine, before constructing the solution for the cypher text;and wherein the constructing, by the client machine, the solution forthe cypher text uses the authorization codes.
 18. The apparatus of claim17, wherein the masked data grid is a two-dimensional (2D) matrix withdata values, and wherein the seed comprises at least the values S0, S1,and S2, and wherein the authorization codes comprise x-coordinates andy-coordinates corresponding to the 2D matrix.
 19. The apparatus of claim17, wherein the data grid stored in the memory comprises atwo-dimensional (2D) matrix with the plurality of data valuescorresponding to x-coordinates and y-coordinates on the 2D matrix, andwherein the authorization codes are x-y coordinate pairingscorresponding to the 2D matrix.
 20. The apparatus of claim 16, whereinthe validating the OTC further includes steps performed by the apparatuscomprising: un-hashing the OTC received from the client machine;confirming that the unhashed OTC matches the authorization codes storedin the memory; and establishing a secure connection for the clientmachine to access the database.